This topic describes EXECUTE privileges.

An SPL program (function, stored procedure, or package) can be executed only if one of the following conditions is met:

  • The current user has been granted the EXECUTE privilege on the SPL program.
  • The current user inherits the EXECUTE privilege on the SPL program because the user is a member of a group that has this EXECUTE privilege.
  • The EXECUTE privilege has been granted to the PUBLIC group.

When you create an SPL program in PolarDB for Oracle, the EXECUTE privilege is automatically granted to the PUBLIC group by default. Therefore, a user can immediately execute the program.

You can run the REVOKEEXECUTE command to delete this default privilege, as shown in the following example:

REVOKE EXECUTE ON PROCEDURE list_emp FROM PUBLIC;

Then, the explicit EXECUTE privilege on the program can be granted to each user or a group.

GRANT EXECUTE ON PROCEDURE list_emp TO john;

At present, User john can execute the list_emp program. Other users who do not meet a condition listed at the beginning of this topic cannot execute this program.

After a program starts to be executed, the next aspect of security is what privilege checks occur if the program attempts to perform an action on a database object. The actions include:

  • Reading or modifying table or view data
  • Creating, modifying, or deleting a database object such as a table, view, index, or sequence
  • Obtaining the current or next value from a sequence
  • Calling another program (a function, stored procedure, or package)

On the database object, privileges that are allowed or disallowed for the user can protect each of these actions.

Note A database can have multiple objects that have the same type and name, but each of these objects belongs to a different schema in the database. For more information about which object is being referenced by an SPL program in this case, see Name resolution of database objects.